[4910] in Kerberos
Re: MIT Kerberos vs DCE-Kerberos
daemon@ATHENA.MIT.EDU (Rich Salz)
Sat Apr 1 21:52:47 1995
To: kerberos@MIT.EDU
Date: 2 Apr 1995 01:28:09 GMT
From: rsalz@osf.org (Rich Salz)
In <3lko9u$7b5@agate.berkeley.edu> mikef@ack.berkeley.edu (Mike Friedman) writes:
>So, I guess this means that if our campus acquires the aforementioned large
>application, we must move to DCE.
Well, it depends on what you mean by "move to." If app requires DCE then you
must install DCE on all would-be client hosts, and create principals for everyone
who is going to use the app. (Or create one principal and have all users act
as one. Bad idea.) How much DCE you need to install depends on what the app uses.
You need the security server, probably the namespace server (CDS); you probably
do not need the time server.
What's the app; can you say?
>If MIT K5 could authenticate DCE-based applications, then,
Can't be done. DCE authentication uses way more then KRB tickets.
>(I'm assuming that DCE security
>can't support K4 clients; is this correct?).
Yup, you're correct.
Sounds to me like you've got a tricky problem if you don't want to
run both Krb4 and (krb5-based) DCE. There are many reasons why you
don't want to do that. You *might* be able to write some k4 gateway
that just forwards to the k5 server...
>Do you have any pointers to other
>online introductory DCE material?
Among other places, http://www.osf.org:8001/, look for the DCE reference(s).
/r$